Loading...
 

Greg`s Tech blog

Clean up old computer accounts

Wednesday 06 of May, 2009
We needed a way to delete aging computer accounts from AD. This script uses the DS* tools from MS (included in Win2k3, Win2k8 and Vista).

Notes:
  • You need to specify the root OU and directories for the email tool.
  • You need to specify the inactive timer (currently 12 weeks)
  • You need to set the search limit (currently 100 accounts
  • To make it take action, you must call it with a parameter of 'Prod' else it will run in test (no delete mode)
  • Any computer account that has the string !!Do Not Delete!! in the description will not be deleted.
  • Any computer account with child objects (e.g. virtual server hosts) will not be deleted.
  • the script uses blat to send email with results. You can rip that out by commenting out the line 'goto :-SendReport'


Please leave a comment should you make use of this tool.


{CODE()}
@echo off
:: FindAgingCompAccts - GjM - 5/1/09
:: Uses MS tools (dsquery, dsget, dsmod) to locate inactive accounts and disable them
:: Computer accounts with !!Do Not Delete!! in the Description will not be disabled.
::
:: set blatbin, dsbin, SCRIPT_DIR, & Mode before running
::

::blatexe is directory containing blat
setlocal
Set blatexe=c:\netadmin\bin\blat.exe
:: dsbin is location of dsquery & other tools (leave blank if in path)
:: dsbin is location of dsquery & other tools (leave blank if in path)
set dsbin=
::SCRIPT_DIR is location of this script - created dynamically based on calling location
set SCRIPT_DRV=%~d0
set SCRIPT_DIR=%~p0
echo scriptdir: %SCRIPT_DIR%
set LogDir=%SCRIPT_DIR%logs
set TempDir=%SCRIPT_DIR%temp
set DataDir=%SCRIPT_DIR%data
set OldAcct=No value assigned\oldacct.txt
set logfile=No value assigned\Oldcomp.log
set actlog=No value assigned\action.log
set inactlog=No value assigned\inaction.log
set errlog=No value assigned\error.log
set resultfile=%TempDir%\results.log
set tempout=%TempDir%\temp.log

set RootOU="DC=corp,DC=com"

:: Call batch file with PROD as a parameter in order to disable accounts
set MODE=%1
if NOT DEFINED MODE (
set MODE=Test
echo The script must be called with a parameter of 'Prod' in order to_
change accounts (ex: 'FindAgingCompAccts Prod')
)
echo Mode is: %MODE%
set SKIP_FLAG=!!Do Not Delete!!
set INACTIVE_PERIOD=12
set ISFlagged=0

::for search_limit use 0 to find all inactive accounts
set Search_Limit=100

cd %LOGDIR%
::Cleanup previous session
copy action_history.log+action.log action.tmp
del action_history.log
ren action.tmp action_history.log

copy error_history.log+error.log error.tmp
del error_history.log
ren error.tmp error_history.log

del No value assigned
del No value assigned
del No value assigned
del No value assigned

set ActCount=0
set SkipCount=0
set PrevCount=0
set ErrCount=0
set count=0

::cd %WORK_DIR%

::query AD for inactive accounts
echo %Date% %Time% Starting automatic account maintenance to clean inactive computer accounts
echo %Date% %Time% Starting automatic account maintenance to clean inactive computer accounts >>No value assigned
echo Querying inactive accounts
echo %Date% %Time% >%OldAcctNo value assigneddsbin%dsquery computer %RootOU% -inactive %INACTIVE_PERIOD% -limit %Search_Limit% 1>%OldAcct% 2>dsquery.err
if No value assigned NEQ 0 goto :ERR

::Count inactive accounts
for /f "delims=?" %%a in (%OldAcct%) do set /a count+=1 >nul
echo Inactive accounts to process: No value assigned

:ProcessInactiveAccounts
::This is the main script loop
::Loop through the list of inactive accounts and check their status
for /f "delims=?" %%a in (%OldAcct%) do call :ChkUserStatus %%a
goto :-SendReport
cd %SCRIPT_DIR%
goto :EOF

:ChkUserStatus
:: Check description for flag that tells us not to disable
:: Disable account if not flagged
::echo on
set CN=%1
echo %CN%
if %CN%=="" goto :EOF
for /f "delims=: tokens=2" %%b in ('No value assigneddsget computer -desc -q -L
"%CN%
"') do (
:: %%b contains the description from AD. This line uses findstr to look for the FLAG in the description
echo "%%b" |findstr /i /c:"%SKIP_FLAG%" >nul
:: findstr returns errorlevel 1 if no match is found
if ERRORLEVEL 1 (
call :-DeleteAcct %CN%
) ELSE (
call :-SkipAcct %CN%
)
)
goto :EOF

:-DeleteAcct
::Delete the account
if %MODE%==Prod (
echo Trying to delete computer account: %CN% >> No value assigned
echo Trying to delete computer account: %CN%
set /a ActCount+=1
for /f "tokens=2 delims=: " %%c in ('dsrm
"%CN%
" -noprompt -subtree 2
>
&1 ^|findstr "failed" ') do (
if /i %%c EQU failed (
echo Error deleting %CN%
echo Error deleting %CN% >>No value assigned
set /a ErrCount+=1
set /a ActCount-=1
) else (
echo Computer account deleted: %CN% >> No value assigned
echo Computer account deleted: %CN%
set /a ActCount+=1
)
)
) else (
echo Mode is %MODE% - not deleting, %CN% >>No value assigned
echo Mode is %MODE% - not deleting, %CN%
set /a TestCount+=1
)
goto :EOF

:-SkipAcct
::Log accounts not being disabled
echo Account flagged, skipping computer, %1 >>No value assigned
echo Account flagged, skipping computer, %1
set /a SkipCount+=1
goto :EOF

:-SendReport
echo Mode is: %MODE%
echo DeletedAccounts: %ActCount%
echo FlaggedAccounts: %SkipCount%
echo ErrorAccounts: %ErrCount%
echo Test Accounts: %TestCount%

echo Mode is: %MODE% >>No value assigned
echo Deleted Accounts: %ActCount% >>No value assigned
echo Flagged Accounts: %SkipCount% >>No value assigned
echo Error Accounts: %ErrCount% >>No value assigned
echo Test Count: %TestCount% >>No value assigned

echo See inaction.log at \\exchmonitor\c$%SCRIPT_DIR% >>No value assigned
type %SCRIPT_DIR%\usagenote.txt >> No value assigned
if %Mode%==Prod No value assigned No value assigned -tf %SCRIPT_DIR%\recips.txt -subject_
"Computer account maintenance" -attacht %WORK_DIR%\results.txt -attacht_
No value assigned -attacht No value assigned -server smtpint.corp.com -f _
AccountManagers@corp.com
goto :EOF

:IsDisabled
:: Checks user disable flag and sets ISDIS to 1 if disabled
for /f "delims=: tokens=2" %%c in ('dsget user -disabled -q -L %1') do (
for %%e in (%%c) do (
if %%e==yes (
set ISDIS=1
) else (
set ISDIS=0
)
)
)
goto :EOF

:ERR
echo Error retrieving inactive computer accounts >>No value assigned
echo No value assigned >>No value assigned
echo Error retrieving inactive computer accounts
type %SCRIPT_DIR%\usagenote.txt >>No value assigned
No value assigned No value assigned -tf %SCRIPT_DIR%\recips.txt -subject "Error with _
computer account maintenance" -attacht No value assigned -attacht No value assigned -server _
smtpint.corp.com -f AccountManagers@corp.com _
goto :EOF



{/CODE}